plan-harder
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill ingests untrusted data from both user requests and existing codebase files during 'Phase 0: Research' and 'Phase 4: Gotchas'.
- Ingestion points: Processes user input and file content from the local directory (SKILL.md, Phase 0).
- Boundary markers: Absent. There are no explicit delimiters or instructions to ignore embedded commands when the agent reads the codebase or passes the plan to a subagent in Phase 5.
- Capability inventory: The agent writes files to the disk (Phase 3) and triggers subagent reviews (Phase 5).
- Sanitization: Absent. There is no evidence of sanitization or validation of the input strings used for filename generation or plan content.
- Risk: Malicious instructions embedded in the codebase being 'researched' could manipulate the agent into generating a plan that includes harmful steps (e.g., 'Install a malicious package') which a user or subsequent agent might then execute.
- Command Execution (LOW): In 'Phase 3: Save', the skill generates filenames dynamically based on user-provided keywords. Without strict validation of the 'key words' extracted from the request, this could potentially be used for path traversal attempts if an attacker provides sequences like
../../to write files outside the intended directory.
Audit Metadata